PT-2024-32393 · Authentik · Authentik

Quentinmit

Published

2024-09-27

Updated

2026-04-16

CVE-2024-47077

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2024.8.3 authentik versions prior to 2024.6.5

Description The issue allows access tokens issued to one application to be stolen and used to impersonate the user against any other proxy provider. A user can also steal an access token they were legitimately issued for one application and use it to access another application that they aren't allowed to access. This affects anyone who has more than one proxy provider application with different trust domains or different access control.

Recommendations For versions prior to 2024.8.3, upgrade to version 2024.8.3 or later to fix the issue. For versions prior to 2024.6.5, upgrade to version 2024.6.5 or later to fix the issue.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

BIT-AUTHENTIK-2024-47077

CVE-2024-47077

GHSA-8GFM-PR6X-PFH9

Affected Products

Authentik

PT-2024-32393 · Authentik · Authentik

CVE-2024-47077

Weakness Enumeration

Related Identifiers

Affected Products

References · 12